[strongSwan] Issues with getting traffic over the VPN without NAT

Jeremy McCourt jmccourt at us.ibm.com
Wed Jul 31 14:41:25 CEST 2013


Hello all:
I've been struggling with this setup for quite some time now, and I'm
hoping it is quite simple.
I have access to the Strongswan side of the VPN, the other side is a cisco
ASA 5520 (or something bigger).

Unfortunately, my access to the Strongswan side is via VNC to a unix
console in what I feel is one of the worst virtual infrastructure providers
I've seen..

So here are the details, and I'm hoping that even being vague without
everybit of data, someone will have come across this in the past.

Strongswan U5.0.4

config setup
	nat_traversal=yes
	uniqueids=no
	strictcrlpolicy=no
	charonstart=yes
	plutodebug=all

conn %default
	keyingtries=%forever

conn Tunnel_1
	authby=psk
	auto=add
	type=tunnel
	left=10.7.0.10
	leftsubnet=10.7.0.0/24
	leftnexthop=10.7.0.13
	leftfirewall=yes
	right=IPADDRESSA
	rightsubnet=0.0.0.0/0
	ike=3des-md5
	esp=3des-md5
	forceencaps=yes
	ikelifetime=86400
	keylife=86400
	keyexchange=ikev1

There are 4 subnets that I want to bring over the VPN
192.168.0.0/16
10.48.0.0/16
X
Y
etc....

I only have one interface on the VPN host (eth0) the service provider
doesn't allow any others
I am able to get traffic from the right side, to the destination host, but
only when I use a NAT rule in IPTABLES
iptables -tnat -APOSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE

When I take the NAT statments out.. (and this VPN host isn't doing anything
else, so When I flush the NAT table.)  It stops working.
I run tcpdumps on this host, and I see the VPN traffic, Let's say a PING
from 192.168.202.100 -> 10.7.0.28. But running wireshark on 10.7.0.28
doesn't see anything until I add the NAT rule back in.

The ultimate goal is to create a Tunnel that will allow and establish based
on bi-directional traffic..

Also, since this host is not the defaultgateway on the 10.7.0.x segment I
was planning on using network routes for the 4 subnets, via this host,
10.7.0.10 to ensure symmetric routing.

Any help would be greatly appreciated..I've been at this for quite some
time now..

Also ip_forwarding is enabled.

cat /proc/sys/net/ipv4/ip_forward
1


-Jeremy



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130731/3b094309/attachment.html>


More information about the Users mailing list